which of the following type of calculations is needed?

A well-known retailer has experienced a massive credit card breach. The retailer had gone through an auditand had been presented with a potential problem on their network. Vendors were authenticating directly to theretailer’s AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where creditcard servers were kept. The firewall rule was needed for an internal application that was developed, whichpresents risk. The retailer determined that because the vendors were required to have site to site VPN’s noother security action was taken.To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed?